It's the Information, Stupid

Security pros won't succeed unless they broaden their focus from the infrastructure that houses information to the security of the information itself. BT Senior Security Consultant Jason Stradley explains how to get there.

By Jason Stradley, BT Senior Security Consultant

CSO|

Over the past several years there have been changes in the business environment, causing fundamental alterations in how security organizations operate to protect the enterprises for which they have responsibility.

An evolution in the nature, methods, and motivation behind the perpetration of security breaches [Timeline: 4 Years of Data Breaches] has had a profound impact on the importance of protecting data and information. This is a shift from the traditional approach of protecting the infrastructure on which the data resides.

The focus of this article is to identify ways that information in the enterprise can be inappropriately removed and a framework for how to mitigate these risks and protect your organization from the potential litigation, fines, and sheer embarrassment that can follow from such an event. [See also: Seven Practical Ideas for Security Awareness]

The unprecedented transformation in the nature and consequences of security breaches is causing a shift in the way security practitioners specifically and business leaders in general must think about the security of information within the enterprise.

The job of a security professional over the past few years has undergone a metamorphosis in response [Security Geeks: From Isolation to Rock Stars]. This metamorphosis has taken the security practitioner from a completely interrupt-driven existence of a firefighter constantly on the alert for an attack, to more of a detective engaged in constant investigation to understand whether or not there has been significant data loss from a silent assailant, one whose biggest goal next to gaining that information is keeping anonymity intact.

Hackers in the early part of the decade were eager to show their skills by perpetrating blatant attacks such as the defacement of a website home page or by bringing a mail server to its knees through a constant bombardment of useless traffic, thereby preventing legitimate users from gaining access. Today hacking is governed by a whole new paradigm, that of profit. It's all about making money the old fashioned way -- by stealing it. Today hacking is a multi-billion dollar enterprise whose sole goal is to acquire any type of information that is believed to be of value to anyone who is willing to pay for it. Hackers today go out of their way to keep their existence a secret from their victims for as long as possible in order to farm the maximum amount of information before having to go to the expense of searching for and infiltrating another victim. [See also: Botnets: 4 Reasons It's Getting Harder to Find and Fight Them]

Given the reality of our changed world, we as security practitioners must change along with it. We must extend our focus from the security of the infrastructure that houses the information to the security of the information itself. The primary mission of the security practitioner must be reconsidered to be successful.

The need to protect data and information

As an industry we have done a very good job of defining a secure infrastructure. While there are challenges in each enterprise when it comes to implementing and maintaining it, there is an excellent framework that every organization can work toward.

Even though the game is changing, many in the industry have continued to embrace the concept of a secure infrastructure and have tried to evolve it to fit the new security paradigm facing the industry. This evolution has consisted of trying to emulate the secure perimeter in a world where that perimeter is increasingly fluid and can change very quickly. The introduction of numerous portable devices and access methods create what might be described as a variable perimeter. This variable perimeter has been extremely difficult to define and even more so to implement, maintain and adapt with constant change that is more the norm than the exception in today's business climate. Add to this the ever-changing mix of customers, business partners and suppliers and the fact that at any given time an organization can have all of these relationships with another organization, leaves us with the inescapable conclusion that it is the information that needs protection, not just the infrastructure that houses and transports the information throughout its lifecycle.

When those of us who have been in the industry for many years came to this realization, some earlier than others, it was an epiphany to be sure. Once over the initial shock, a natural question for a security practitioner might be to ask "How in the world do I do that?"

Before we can develop an intelligent answer to the "how," we need to have a better definition of the "what" and the "where" in this new reality. Information leakage has been happening for years and is not a new issue. What is different now is that there are a lot more people seeking to acquire information through illegitimate means. There are a lot more methods by which this can be accomplished and there are more regulations requiring organizations take the proper steps to keep this information leakage under control. Lastly, there are an ever increasing array of penalties and consequences for those organizations unable to or unwilling to comply. These trends will continue, so it is in everyone's best interest, except of course "the bad guys", for the industry to evolve with the times and get in front of this issue sooner than later.

Before an appropriate set of controls can be defined and deployed, we need to understand the value of what needs to be protected and, to the extent that we are able, where it is located. This is similar in nature to how we go about protecting the infrastructure. The information needs to be characterized in terms of its value to the organization and the impact of its disclosure to the public. This disclosure component is of critical importance to achieving compliance with many of the data protection and privacy regulations that currently exist, as well as those yet to come.

This characterization is typically expressed as a data classification policy. A typical data classification policy defines four levels of data within the enterprise: Public, Internal, Confidential, and Restricted. The headings may differ from one organization to another, but for our purposes these headings will suffice:

Public data is typically defined as data that anyone can access and it may be disclosed to the general public without impact to the organization. Examples of this type of data may include product marketing materials, sales collaterals and for publically held companies the annual report.

Internal data is typically defined as internal business correspondence, records and data that are created during the normal course of business which is not identified as confidential or restricted. Examples of data classified as Internal include business emails, correspondence with clients.

Confidential data typically includes any and all of business, financial and technical information including, customer, product, pricing and product development plans, network and system diagrams or other non-Restricted data created in the normal course of business which if made public would cause harm the organization.

Restricted data includes all information subject to restriction in access, storage or processing by law, or regulation, or by customer contract and any other information owned or under the stewardship of an organization that could cause significant harm if inappropriately disclosed, accessed or modified.

Another important aspect that is relevant to data leakage is to define a data lifecycle to determine when and how to appropriately retire and dispose of data that is no longer needed by the business. This should be addressed in an organization data retention policy. In many cases such a policy does not exist. The data leakage issue may be the key to convince an organization to develop a comprehensive and enforceable data retention policy.

How data leaks occur

Now that we have identified the "what" we can move on the "how." This "how" will be divided into two parts. The first "how" will focus on how information and data leaks from an organization. The second "how" will be concerned with how an organization can guard against this leakage and reduce the risks associated with that leakage.

There are many egress vectors for information and data leakage. While certainly not a complete list some examples of these egress vectors include personal e-mail, P2P, unauthorized encrypted transmissions, malware infections in endpoint devices, unauthorized PDAs, smart phones and MP3 players, social engineering both electronic and non-electronic, faxing to personal e-mail, unauthorized media (CD/DVD, USB Drive, Memory Stick, etc., and traditional postal and overnight services.

In any given organization there are no doubt additional egress vectors for information and data leakage that may be specific to the type of business being conducted. The important thing is to understand what these outward vectors are such that appropriate controls can be defined and instituted to provide the required level of security to the majority of the information in the environment. The previous statement was crafted using the word "majority" for a good reason. That reason is that like any other set of security controls nothing should be considered fool-proof. While it is essential that an organization takes every reasonable precaution to protect its restricted data, it is impossible to ensure that all data is secure all of the time, especially if you are in a business that by its very nature is a target for information leakage.

How to protect against data leaks

Now that we have briefly visited the "How" that describes some of the more common information and data leakage sources, we move to the second part of "How." This second part of "How" will be an attempt to describe how to institute a set of controls that will provide the optimal level of protection for an organization.

The best chance of accomplishing this will be to remember that it is vital to not depend on any one type of solution or process. There are a variety of tools and techniques, both technical and non-technical to assist the security professional achieve the appropriate and reasonable level of security for the various types of information and data that typically exist in an enterprise.

The defense-in-depth concept is alive and well when it comes to protecting against information and data leakage. The only difference here is that when applied to infrastructure we tend to start at the outside and work our way to the inside. Assuming that we have done a reasonably good job of securing that infrastructure, for the purposes of data leakage we need to shift our thinking a bit and look to work from the inside to the outside.

For those of you with technical backgrounds think of applying an access list on a device in a network or deploying an intrusion sensor. Ideally you want to deploy either as close to the source of what you are trying to monitor and protect as possible. The data is on the inside, therefore we should start at the inside and work our way outward. This concept is extremely important as we start to consider technology solutions to help us better manage the information and data leakage issue.

From an organizational perspective, there is one weapon that every security practitioner has at their disposal that in many instances is not optimally leveraged. This weapon is ultimately the first and last line of defense in the protection of corporate information and data, as well as being the most variable in its ability to perform. The weapon that I refer to is the people in an organization. The people in an organization are closest to the critical data, so when it comes to data leakage they can be security's best friend or its worst enemy.

It is vitally important that information and data leakage and its potential impact to both the individual and the organization are covered fully in any new hire orientation session. It is also important to mention the protection of corporate information in any type of annual policy review acknowledgement that may exist. If neither of these vital parts of any training and awareness program currently exists, the data leakage issue may serve as a good leverage point to have them instituted in an organization.

The second important facet of people's involvement in combating information and data leakage in an organization is to have a mature and effective incident response capability. This is a very important aspect of any security program and equally important to any information and data leakage program. Incident response capability is the absolute last line of defense in this effort to protect information and data. Security practitioners should not operate under any illusions and should set expectations with senior management that no matter how well thought out a security program is, eventually there will be an incident of some type. The maturity of the incident response capability within a security program will make the difference between a complete disaster and a bad situation that can be overcome over the long haul.

If employees and associates can be trained and incented to understand the importance of this issue and how it can affect them, it will go a long way toward reducing the overall risk of leaking information and data from the enterprise.